What is public isn’t safe

I spent part of my winter holidays in Andalucia. Granada, Malaga, Cadiz, Sevilla and Cordoba , then we went to Barcelona, truly a magnificent city, full of culture, life and history. Gaudi, Columbus, Gruell, La Rambla, the Gothic Quarter, these are just a few of the things which make Barcelona what it is.

We rented what Americans would call a ‘loft’ – a big living space without walls. In our case, it had simple yet cozy decoration, utilities, a TV and of course, a computer connected to the Internet for the guests to check their mail, running Windows XP Home edition.

Being an inquisitive type, the first thing for me to do on the loft computer was to run Regedit and look at some of the standard Run keys. Unsurprisingly, there were at least four entries there which looked suspicious, files such as “clock.exe” in the system32 directory being executed at startup and sure enough, Taskman showed them running in memory.

I quickly brought up the web browser and pointed it to a beta copy of the Kaspersky Online Scanner – a free, rich-featured web-based scanner using the standard KAV engine but which doesn’t require any special installation or purchase.

The scan results were impressive, or maybe a better word is scary – this single machine was running two popular worms – Mabutu.A and LovGate.AE, and no less than 15 different trojans and spying software. There were a couple of TrojanSpy binaries which are supposed to steal e-banking information, some which steal common website login/passwords and of course, some which record every keystroke and mail it to a certain address from time to time.

But not all the suspcious Run entries were detected. One of them came up clean, and that made me even more curious. The relevant software seemed to be a commercial application called “Kechua”. Poking a little bit at it with various tools showed me that it took a capture of the screen every 5 minutes, besides intercepting information entered via the keyboard. I found a subfolder in the “Kechua” installation directory with over 5000 capture files, dating almost 2 years back. Needless to say, lots of people over this time had checked mail, talked to the relatives back home on IM, browsed the web, and so on…

I temporarily deactivated this program, deleted the captures of me scanning the computer, called the owner and suggested he buys an antivirus. Then I turned the machine off and focused on the city and its inhabitants. My mail can wait. Public computers are simply too unsafe to use.

What is public isn’t safe

Your email address will not be published. Required fields are marked *



Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

What did DeathStalker hide between two ferns?

While tracking DeathStalker’s Powersing-based activities in May 2020, we detected a previously unknown implant that leveraged DNS over HTTPS as a C2 channel, as well as parts of its delivery chain. We named this new malware “PowerPepper”.

Subscribe to our weekly e-mails

The hottest research right in your inbox